Malware Analysis Report

2024-09-09 14:26

Sample ID 240503-b8tl9aca91
Target e07fd729182650c77f29293c6e4522c5.bin
SHA256 fb3375e035518ce5d71bf5038b8870b5246c2a2d2e06628350322e6ada734234
Tags
hook collection credential_access discovery evasion execution infostealer persistence rat stealth trojan ermac
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb3375e035518ce5d71bf5038b8870b5246c2a2d2e06628350322e6ada734234

Threat Level: Known bad

The file e07fd729182650c77f29293c6e4522c5.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution infostealer persistence rat stealth trojan ermac

Ermac2 payload

Ermac family

Hook family

Hook

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Prevents application removal

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Queries information about running processes on the device

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Acquires the wake lock

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 01:49

Signatures

Ermac family

ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook family

hook

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 01:49

Reported

2024-05-03 01:52

Platform

android-x64-arm64-20240221-en

Max time kernel

48s

Max time network

159s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 4cb6c06ed12de76dbb12f0f7a2fd6356
SHA1 2b517cbc39c5270765d9a6f7df6079cf94332589
SHA256 e341fb44b7d588d30b7d4827d7c3b1a1a1099d0afdd1a1739a0da663056d31eb
SHA512 4989dc91c92ebb0f88d843777cd8703768afde5fea3043279cea954ad94b16c0af0d305dd30e9d7bd84d470a41d74e97bf81d6e8a550f2a6a537e3b90a4f3ebb

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 1ed6ce67bc8b68c89aeb5b3a308d1790
SHA1 957a97bd5220e738f56053960df2c3508d8e28bb
SHA256 91afbb1eedd45f11d7e1c995c1405622381bf72489d63b81c172dba38feebbfe
SHA512 1bea9094f27fee4eefde57463da99a85e17305ba1c01a3050fd1b297f4c1ebb4d10335637d1b43e18e259c8bbc82389a5518e00146a185e85be60e8d59c70217

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 9c0a58b426013bd8c431fa8528cc56eb
SHA1 0917c1888da04bbc757e1e49f1186a0e4551ad96
SHA256 43f8d8d0fa0235e2ff62e7a52815a9a3cace833cede5ae70d957773e2443d010
SHA512 0ce070cf241258cc0b9a1984a4ec5afd9c209f2c86569759203fe20e5b2b2874dceafecb8518fb7c07449e09ece12878e924147d694798c0baf2549dbc1cbad7

/data/user/0/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 f521fe0b70b1c00c082a7c261949d800
SHA1 3c5814b68b27289ad6a34cf58ed602fb88ba6177
SHA256 8d7bd1852743f06f85ca6b592bf880fad93aa42c12c33cf7ff424e203a595ce9
SHA512 863f8198f823b07523f1aabd368ffb42916c25f1cf58a1e7f9510a7ca579506e5854267de21e47451ede8257b4dc85b2cdb547959d41b512eb875c94f4e2d874

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 01:49

Reported

2024-05-03 01:52

Platform

android-x86-arm-20240221-en

Max time kernel

30s

Max time network

153s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
DE 54.36.113.159:3434 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp
DE 54.36.113.159:3434 tcp

Files

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 a50d102af572b624f52aeb459bc95450
SHA1 ad6071ae6712af75f9df287c7fe7a1ba921c665f
SHA256 d2dfe69e03f8111ac5e0c669aeed557a7cb20170ab5f786114158d61f6d2f721
SHA512 aa7b3622caa08e9f5e7916b91d4ca5872d548aed235e198a85c403bcc48e5a173e5e0584edcca8c5af582ce1df647560af619177e6f54474191c6a71dd6fefaf

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 16888f7eae92180d688b84b76b3febbf
SHA1 d3250c7f7e6359294b67e9c0cd3f6e51cd130f2d
SHA256 7f80e54a4053ae99580d05c2538e29653199cf2fa8c50cefaa6e58eb36b5ec9e
SHA512 5e2957b781bacdf951d383aed54f8f8a0f1eabef2c17cfc466ec5016e6c2c192a5bf79d09207d4c8991a1e343070431202388cf152c957a1217f7d7f2001a80f

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 8fd3f257204381233f1b4f345fa0a6f3
SHA1 447e6fd5ef0457581578e35d5d8094eee9bf47f3
SHA256 477e5418ed4abb78feeea9f4dacfe2b9e58e69188e9e360281d4ffa736edf1aa
SHA512 e1f1fdaade92debb9d1ee7da6e496a09945d7dc44874f5ca07525f3501e3f173dc7a62c573f72e71a86411502e2b0523a4f3ee57af9f0cc32f3d0a8041638319

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 9e95412be9ba460a836546f3399c29f3
SHA1 4ad25765325622b1e5ea3b0e5f21a267ef49434b
SHA256 9ce0859772f6c7eaae7dd41edc7f5f186ea7cc016b1033ec8c564d6e20345ee1
SHA512 4ac63adcbb9e559abb4069c8aa8eadcc72e73a88bcd5263f6dacf5958db9cb74b7796282073dc76ab46ec5653742dc83c54043f197c6387a9fde7ee0829c3158

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 01:49

Reported

2024-05-03 01:52

Platform

android-x64-20240221-en

Max time kernel

155s

Max time network

144s

Command Line

com.lexohiludulefu.jojuxewu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.lexohiludulefu.jojuxewu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-journal

MD5 cbdff98f683e66535d40cbd00e88cb86
SHA1 5c8e51c2bb72cca953c86aafac1503585dde392a
SHA256 e6a0f348c6534feb41b87d82098e87a8404fdf9dbf2d7f49fd19af7a56d37a0c
SHA512 1c7d8f47ac08490fc1eb42b540ce07037eff65de1674276866da87d49109bd37eec1e43895b34da18947aff2bad8c8954558f691fab6eb74b522a2fbaebb7002

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 3d4c23e8109d1c2efc55416b762fe338
SHA1 9afab3fc0b916cb1d97973906797ce927aff4767
SHA256 b68d44fdc2f092bd326cd0ad401a6cd0282a505d26941b6368099fad2ac02d48
SHA512 a7915c45d016f286df873feb98affcd15fd4b1e387aca9b23a8a18ff092f76cdf6deb3c43ff2692e8f336e8f55ac0e3c4d2183cb1c6b98498cd114871a38b709

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 82b5d8d39c3aeee19853f7a8120aae80
SHA1 d63da6f25a05b7ac5484228170e9eda308699ed9
SHA256 f2d0327d92365bb996ba4af1c41b69b76eb9b6518d90fb1d324edcbf1a1aa3ab
SHA512 92c05cb2c4c40f6eae70b2470f00113e213bf346cad4cf03fa9af8aec2f0decd86f4c0680a43ea94842e4c0699b0211d6c4787bb707fb06c4f92dff30ce44d8d

/data/data/com.lexohiludulefu.jojuxewu/no_backup/androidx.work.workdb-wal

MD5 d216fe2ecdc537d499905e429ece4113
SHA1 32e9d741c823e70c571672220a53d9f2412c6d1b
SHA256 f1370c492d7d84e00cc713e55f61aed3b34b3634f8c57adeba9e4aff4eca91cd
SHA512 5d856c6ad55501f0a3361fdbbd9f4744b36ab3461de3962192d32318e7de26943bb2af3bf3888a36f8e21983e32a4e4d8d8ba2a594b3e2a453c1b667a3bdf073